提交 c327cddd 编写于 作者: M Michael Knudsen 提交者: Johan Hedberg

Bluetooth: Stop BCSP/H5 timer before cleaning up

When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues.  The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.
Signed-off-by: NMichael Knudsen <m.knudsen@samsung.com>
Reported-by: NKirill Tkhai <ktkhai@parallels.com>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
上级 81ad6fd9
...@@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu) ...@@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu)
static int bcsp_close(struct hci_uart *hu) static int bcsp_close(struct hci_uart *hu)
{ {
struct bcsp_struct *bcsp = hu->priv; struct bcsp_struct *bcsp = hu->priv;
del_timer_sync(&bcsp->tbcsp);
hu->priv = NULL; hu->priv = NULL;
BT_DBG("hu %p", hu); BT_DBG("hu %p", hu);
...@@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu) ...@@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu)
skb_queue_purge(&bcsp->unack); skb_queue_purge(&bcsp->unack);
skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->rel);
skb_queue_purge(&bcsp->unrel); skb_queue_purge(&bcsp->unrel);
del_timer(&bcsp->tbcsp);
kfree(bcsp); kfree(bcsp);
return 0; return 0;
......
...@@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu) ...@@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
{ {
struct h5 *h5 = hu->priv; struct h5 *h5 = hu->priv;
del_timer_sync(&h5->timer);
skb_queue_purge(&h5->unack); skb_queue_purge(&h5->unack);
skb_queue_purge(&h5->rel); skb_queue_purge(&h5->rel);
skb_queue_purge(&h5->unrel); skb_queue_purge(&h5->unrel);
del_timer(&h5->timer);
kfree(h5); kfree(h5);
return 0; return 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册